This article was originally published in Issue 2 of Southern Africa Digital Rights, an online publication produced under the project "The African Declaration on Internet Rights and Freedoms: Fostering a human rights-centred approach to privacy, data protection and access to the internet in Southern Africa".
Malawi was under British protection from 1891 to 1964, known then as Nyasaland, until it gained complete independence from the United Kingdom. It transitioned into a republic with a one-party governmental system in 1966, following a series of constitutional amendments. In 1994, a new constitution was enacted, introducing a bill of rights that paved the way for significant changes in the socio-political landscape, including the communications sphere. [1]
This shift led to the creation of various policy instruments aimed at regulating communication services. Notable among these instruments are the Communications Act (initially drafted in 1998 and revised in 2016), [2] guiding the regulation of broadcasters and telecommunication firms, alongside the Electronic Transactions and Cyber Security Act of 2016 [3] and the Access to Information Act of 2017. [4] The implementation of the Communications Act established the Malawi Communications Regulatory Authority (MACRA), responsible for enforcing the Electronic Transactions and Cyber Security Act.
Since the early 1990s, Malawi has witnessed a surge in media organizations, outlets, and telecommunication companies. This period has seen significant growth in cellular phone usage and a remarkable expansion in Internet accessibility and usage.
The state of internet rights, policy and governance
Malawi lacks a robust, currently enacted data protection law. However, data protection provisions are embedded in the Constitution of Malawi and outlined within the Electronic Transactions and Cyber Security Act of 2016 (referred to as ‘the Act’). Section 21 of the Malawian Constitution grants every individual the right to personal privacy. This encompasses the right to be free from (a) personal, home, or property searches; (b) private possessions seizure; or (c) interference with private communications, including mail and all telecommunication forms.
Nevertheless, authorities are increasingly demanding citizens to surrender personal information for routine activities, ranging from using a mobile phone to participating in elections. The absence of a clear data protection law jeopardizes citizens’ right to privacy.
After the enactment of the January 2010 National Registration Act, the Malawian government initiated nationwide registration in 2017. [5] This mandates every Malawian aged 16 and above to enroll in the national register and acquire a national identity card.
According to the National Registration Bureau (NRB), the national ID system would serve many purposes by acquiring “information about the population” that would enable “policymakers to use data-driven planning” for development and services delivery. For individuals, this would give them “proof of their nationality and personal information so that they can use it to claim their benefits.” [6]
In January 2018, MACRA announced a mandatory national sim card registration exercise. Based on the Communications Act of 2016, this required everyone with a mobile phone number in the country to register their sim card. In July 2022, the Authority held a series of meetings with the media and other stakeholders announcing that they will soon embark on registration of mobile phone handsets.
MACRA says these registrations are important for several reasons: First, to prevent fraudulent practices; to recover stolen phones; offer protection from violence, threats, or hate texts; and check fraud and theft committed via mobile phones. Similarly, banks and telecommunication companies operating mobile money services embarked on a “know your customer” exercise in which Malawians were required to present their national ID for all transactions.
Data collected for the National Register includes a person’s surname and given names, nationality, date of birth, and place of birth. The NRB also collects data on one’s sex, current residence, height, eye colour, passport number, marital status and parents’ information. The bureau also collects biometric information, including all 10 fingerprints, a personal photograph and signature.
Meanwhile, there are a growing number of cases where people claiming to be from various organisations and financial institutions demand money from people. [7] It isn’t clear how these people obtained the personal information necessary, however, the suspicion is that information given registering agencies is not protected. This is just one of the dangers posed to individuals by the unregulated or uncontrolled collection, storage and use of personal data.
A move towards data protection
The government of Malawi finalised the drafting of Data Protection Bill in June 2021. [8] The aim of this Bill is to provide a comprehensive legislative framework for the protection and security of personal data, consolidate data protection provisions currently found in various Acts of Parliament, and protect the digital privacy of individuals without hampering social and economic development in the country. The Minister of Justice is yet to submit the Bill for cabinet approval.
In the words of CIPESA Analysis Report of the bill of May 2021, ”Enacting the data protection law would represent fulfilment of the state’s obligation to protect the right to privacy of the individual and represent a key step towards meeting Malawi’s commitments under international human rights law”. [9]
Barriers to data protection, access and affordability of the internet
According to Kainja, 2019, “The improved access to and use of ICT, coupled with the aforementioned reforms have also allowed the government to adopt measures that curtail internet freedoms, including the criminalisation of online communication and massive collection of personal data.” [10] These measures are enabled in part by retrogressive provisions in the 2016 Communications Act and the 2016 Electronic Transactions and Cyber Security Act.
Internet freedom in Malawi has been affected by the limited state investment in ICT and internet infrastructure needed to facilitate affordable access to the internet, and the cost of internet services continues to rise. Since the current government led by President Lazarus Chakwera took office in 2020, there have been outcries that the cost of internet data must fall. Internet users in Malawi enjoyed unlimited data bundles with 40 Gigabytes at the highest speed of 5 megabytes per second costing about 35 United Stated Dollars for one month. However, in early August 2022 one mobile network provider announced increasing the price of the unlimited data bundles by almost 100 per cent.
Moreover, levies imposed on internet service providers and telecommunication companies exacerbate the challenges in achieving affordable internet access. The primary responsibility to enhance affordability lies with the government, as it holds the authority to legislate and ensure law enforcement. However, the government has yet to repeal or amend outdated laws from colonial and dictatorship eras that contradict human rights and impede media freedoms. These laws remain in effect, conflicting with the country’s constitution.
While civil society demonstrates vibrancy in various social development realms, its proactive stance toward internet freedom and digital rights remains nascent. These issues are still emerging for many civil society organizations and human rights defenders in the country.
The regulator
The Malawi Communications Regulatory Authority (MACRA) regulates the country’s telecommunication sector. It is mandated to make regulations and policies that govern the telecommunications sector.
The regulator issues operating licenses; monitors and enforces compliance with regulations; hears and determines disputes and complaints brought by industry or members of the general public; plans, controls and manages the frequency spectrum efficiently in order to maximise frequency availability; and protects the interests of consumers, purchasers and other users of communication services from unfair business practices, poor quality services and harmful or inferior products.
According to the draft Data Protection Bill, MACRA has the mandate for its enforcement.
Constitutional underpinning
The government initiated drafting of the Data Protection Bill, having realised that the country’s economy is increasingly reliant on digital technologies and therefore there is a need to protect personal data of individuals collected, generated, stored and utilized by public and private sector institutions including in the provision of healthcare, health and other types of insurance, education, banking and financial services, hospitality services, civil registration, voting, immigration, national ID and delivery of social programmes.
The overall objective of this Bill is to regulate matters relating to personal data but does not apply to the collection or processing of personal data for personal, recreational or household purposes, or for security, law enforcement or public health purposes.
The data protection bill is aligned with international treaties Malawi is a party to, such as the International Covenant on Civil and Political Rights (ICCPR), [11] as well as the country’s constitution, which is the supreme law of the country. The constitution has safeguards in its Bill of Rights that protect people’s democratic rights.
Government, through the Bill, designates the Malawi Communications Regulatory Authority as the Authority to regulate and monitor personal data protection and digital privacy in Malawi and oversee the implementation of and be responsible for the enforcement of the Bill.
The Bill establishes a Data Protection Office within the Authority responsible for the activities relating to data protection under the Bill. From the onset, this arrangement may threaten the independence of the office. Setting up an independent Data Protection Commission because, while the Authority will be enforcing the law using the Communications Act and the Electronic Transaction and Cyber Security Act, the Data Protection Office will be focusing on protecting the public and adjudicating on complaints from the public about the same.
Similarly, the principles governing the processing of personal data should be applied in other sectors as well and in both public and private entities.”. The Bill requires a data controller or data processor to process data fairly and in a transparent manner and only where (a) the data subject has given and not withdrawn his consent, and (b) the data are required for legitimate purposes outlined in the Bill. The Bill further limits the processing of sensitive personal data.
Where the Bill empowers a data subject who is aggrieved by the decision, action or inaction of a data controller or data processor in violation of this Bill and or regulations, rules or other subsidiary legislation or orders to lodge a complaint with the Authority, there is need for an independent commission to initiate an investigation and not the Authority as outlined in the Bill.
The Bill proposes that Parliament should make this Bill the umbrella law on the protection and security of personal data in Malawi, by amending or repealing provisions related to personal data protection in two existing Acts of Parliament, namely, Access to Information Act, 2017 and Electronic Transactions and Cyber Security Act, to eliminate inconsistencies between this Bill and the said two Acts of Parliament.
Existing legal framework on data protection
The Electronic Transactions and Cyber Security Act of 2017
This Act defines personal data as ”any information relating to an individual who__ (a) may be directly identified; or (b) if not directly identified, may be identifiable by reference to an identification number or one or several elements related to his physical, physiological, genetic, psychological, cultural, social, or economic identity.”
This law defines a data subject as “a person from whom data relating to that person is collected, processed or stored by a data controller.” Additionally, Section 74 requires data controllers to ensure that clients’ data is secure and is protected against accidents or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access by third parties, especially if the processing involves the transmission of data over a network.
The Communications Act of 2016
Under Section 176(1), the Act criminalises unlawful interception or interference by service providers, noting that, “a licensee operating an electronic communications network or providing an electronic communications service who, other than in the course of its duty, intercepts, interferes with the contents of, or modifies, any message sent as part of the electronic communications service, commits an offence and shall, upon conviction, be liable to a fine and imprisonment.”
The Access to Information Act of 2016
This Act provides for the right of access to information in the custody of public bodies and relevant private bodies as well as the processes and procedures for obtaining such information. Section 20(1) requires an information holder to notify third parties, if he considers that the information being requested relates to confidential or commercial interests, in writing with details of the request.
Third parties are required to respond in writing within 10 working days from the date of receipt of the notice and indicate whether they consider the information to be confidential and give reasons why the information should not be disclosed.
The National Statistics Act of 2013
Section 10 of the National Statistics Act, 2013 empowers the National Statistics Organisation (NSO) to collect all types of information, including personal information, nationwide on behalf of the government. While, Section 12(11) of the same Act states that the Commissioner or any authorised officer may, for any purpose connected to collecting statistical information, enter and inspect any land, building or other premises, vehicle, vessel or aircraft, it also says that they can only enter such areas with the consent of property owners or the backing of a warrant; and they are enjoined to maintain decency and order, including the protection of a person’s right to dignity, freedom and privacy, under section 12(5).
Conclusion
The current legal and policy framework faces a significant challenge due to delays in enacting the privacy and data protection law. This delay becomes especially problematic amid heightened personal data collection and an increase in financial fraud cases within the country. Additionally, the privacy and data protection bill doesn’t encompass national and multinational companies, including banks and telecommunication firms, which also handle data.
Regrettably, the existing draft laws on data protection lack adequate safeguards for resolving user complaints. The sole handling of all matters by the government Authority raises concerns about potential conflicts of interest in addressing complaints.
The proposed structure of the Data Protection Office weakens its financial, decision-making, and institutional independence. Malawi should consider establishing an independent Data Protection Commission or Authority outside MACRA.
Moreover, the Minister responsible for personal data protection and security should ensure that the bill mandates the inclusion of representatives from various sectors, such as human rights advocates, media organisations, doctors, lawyers, and other stakeholders in the regulatory framework. This inclusive approach would support the formation of an independent Data Protection Commission. The bill should also clarify the criteria for appointing a Data Controller.
The overdue Malawi Data Protection Act, despite commendable ongoing efforts, requires swift enactment by the parliament. Implementing the above proposals would ensure adequate protection of individuals’ rights.
Notes
1 akn-mw-act-1994-20-eng-2020-11-03.pdf (malawilii.org)
2 ACT41.PDF (itu.int)
3 Electronic Transaction and Cyber Security Act 2016 - MACRA
4 akn-mw-act-2017-13-eng-2017-02-16.pdf (malawilii.org)
5 National Registration (nrb.gov.mw)
6 https://citizenshiprightsafrica.org/why-malawi-urgently-needs-a-data-pr…
7 There are a growing number of cases where people claiming to be from various organisations and financial institutions demand money from people.
8 Malawi-Data-Protection-Bill-final-draft-210630-.pdf (pppc.mw)
9 https://cipesa.org/wp-content/files/State-of-Internet-Freedom-in-Malawi…
10 google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwiptMft6tqCAxXtY0EAHTiDDzsQFnoECBAQAQ&url=https%3A%2F%2Fwww.ajol.info%2Findex.php%2Fjh%2Farticle%2Fview%2F251334%2F237536&usg=A…
11 https://www.ohchr.org/en/instruments-mechanisms/instruments/internation…